diff --git a/.github/workflows/code-coverage-deploy.yml b/.github/workflows/code-coverage-deploy.yml
index 0a130f1dc..02ec89789 100644
--- a/.github/workflows/code-coverage-deploy.yml
+++ b/.github/workflows/code-coverage-deploy.yml
@@ -1,4 +1,5 @@
 name: "Code Coverage (Deploy)"
+# see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 
 on:
   workflow_run:
@@ -17,11 +18,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      
+      - name: Set shas
+        id: sha
+        uses: actions/github-script@v6
+        with:
+          result-encoding: string
+          script: |
+            const {data: callee_run } = await github.rest.actions.getWorkflowRun({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+
+            console.log(callee_run);
+            return callee_run.head_sha;
 
+        
       - name: Download artifact
         uses: dawidd6/action-download-artifact@v2
         with:
-          name: code-coverage-${{ github.event.workflow_run.head_sha }}
+          name: code-coverage-${{ steps.sha.outputs.result }}
           workflow: code-coverage.yml
           path: ./deploy
 
@@ -29,28 +46,28 @@ jobs:
         uses: JamesIves/github-pages-deploy-action@v4
         with:
           folder: ./deploy
-          target-folder: "coverage/${{ github.event.workflow_run.head_sha }}"
+          target-folder: "coverage/${{ steps.sha.outputs.result }}"
           branch: gh-pages
-          commit-message: "Actions: Code Coverage for ${{ github.event.workflow_run.head_sha }}"
+          commit-message: "Actions: Code Coverage for ${{ steps.sha.outputs.result }}"
 
-      - name: If on main branch, copy coverage report to /latest.
+      - name: If on main branch, copy coverage report to /main.
         if: github.ref == 'refs/heads/main'
         uses: JamesIves/github-pages-deploy-action@v4
         with:
           folder: ./deploy
-          target-folder: "coverage/latest"
+          target-folder: "coverage/main"
           branch: gh-pages
-          commit-message: "Actions: Update latest code coverage for main (${{ github.event.workflow_run.head_sha }})"
+          commit-message: "Actions: Update code coverage for main (${{steps.sha.outputs.result}})"
 
       - name: Format summary
         run : |
-          CONJURE_OXIDE_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/conjure-oxide"
-          MINION_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/minion"
-          CHUFFED_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/chuffed"
+          CONJURE_OXIDE_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ steps.sha.output.result }}/conjure-oxide"
+          MINION_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ steps.sha.output.result }}/minion"
+          CHUFFED_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ steps.sha.output.result }}/chuffed"
 
-          CONJURE_OXIDE_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/latest/conjure-oxide"
-          MINION_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/latest/minion"
-          CHUFFED_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/latest/chuffed"
+          CONJURE_OXIDE_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/conjure-oxide"
+          MINION_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/minion"
+          CHUFFED_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/chuffed"
           echo '# Code Coverage' >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## This commit" >> $GITHUB_STEP_SUMMARY
@@ -81,9 +98,24 @@ jobs:
           ref: "gh-pages"
           path: "pages"
 
+      - name: Set shas
+        id: sha
+        uses: actions/github-script@v6
+        with:
+          result-encoding: string
+          script: |
+            const {data: callee_run } = await github.rest.actions.getWorkflowRun({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+
+            console.log(callee_run);
+            return callee_run.head_sha;
+
       - name: "Generate indexes"
         run: |
-          ./etc/ci/genindex.py pages/coverage/${{ github.event.workflow_run.head_sha }}
+          ./etc/ci/genindex.py pages/coverage/${{ steps.sha.outputs.result }}
           ./etc/ci/genindex.py pages/coverage/latest
           ./etc/ci/genindex.py pages/coverage/
 
diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
index d0099e9b5..69f2bbf40 100644
--- a/.github/workflows/code-coverage.yml
+++ b/.github/workflows/code-coverage.yml
@@ -49,7 +49,7 @@ jobs:
           
       - name: Move all html to correct folders for deployment
         run: |
-          # put things both in the sha directory, and in latest/
+          # put things both in the sha directory, and in main/
           mkdir -p deploy/conjure-oxide
           mkdir -p deploy/minion
           mkdir -p deploy/chuffed
@@ -64,5 +64,28 @@ jobs:
           name: code-coverage-${{ github.sha }}
           path: deploy/**
 
+      - name: Format summary
+        run : |
+          CONJURE_OXIDE_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/conjure-oxide"
+          MINION_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/minion"
+          CHUFFED_URL="https://conjure-cp.github.io/conjure-oxide/coverage/${{ github.event.workflow_run.head_sha }}/chuffed"
 
+          CONJURE_OXIDE_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/conjure-oxide"
+          MINION_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/minion"
+          CHUFFED_LATEST="https://conjure-cp.github.io/conjure-oxide/coverage/main/chuffed"
+          echo '# Code Coverage' >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## This commit" >> $GITHUB_STEP_SUMMARY
+          echo "| Crate | |  | " >> $GITHUB_STEP_SUMMARY
+          echo "| ----- | ----- | ----- |" >> $GITHUB_STEP_SUMMARY
+          echo "| Conjure-Oxide | ![](${CONJURE_OXIDE_URL}/badges/flat.svg) | [Full Report](${CONJURE_OXIDE_URL}) | " >> $GITHUB_STEP_SUMMARY
+          echo "| Minion        | ![](${MINION_URL}/badges/flat.svg)        | [Full Report](${MINION_URL}) | " >> $GITHUB_STEP_SUMMARY
+          echo "| Chuffed       | ![](${CHUFFED_URL}/badges/flat.svg)       | [Full Report](${CHUFFED_URL}) | " >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Main" >> $GITHUB_STEP_SUMMARY
+          echo "| Crate | |  | " >> $GITHUB_STEP_SUMMARY
+          echo "| ----- | ----- | ----- |" >> $GITHUB_STEP_SUMMARY
+          echo "| Conjure-Oxide | ![](${CONJURE_OXIDE_LATEST}/badges/flat.svg) | [Full Report](${CONJURE_OXIDE_LATEST}) | " >> $GITHUB_STEP_SUMMARY
+          echo "| Minion        | ![](${MINION_LATEST}/badges/flat.svg)        | [Full Report](${MINION_LATEST}) | " >> $GITHUB_STEP_SUMMARY
+          echo "| Chuffed       | ![](${CHUFFED_LATEST}/badges/flat.svg)       | [Full Report](${CHUFFED_LATEST}) | " >> $GITHUB_STEP_SUMMARY